Package: typo3 Version: 4.3.9+dfsg1-1+squeeze7 Severity: grave Tags: security, upstream
Hi, It has been discovered that TYPO3 Core is susceptible to SQL Injection and Open Redirection. Here is the relevant information: https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2013-001/ A CVE number was asked at: http://seclists.org/oss-sec/2013/q1/611 The patch that fixes the SQL Injection is the following: http://git.typo3.org/TYPO3v4/CoreProjects/MVC/extbase.git/commitdiff/d00f4b6523507db3c4c7601cf7758333c8290c1d However, to make it apply over the older typo3 at Squeeze you have to apply it first the following ones: http://git.typo3.org/TYPO3v4/CoreProjects/MVC/extbase.git/commitdiff/76f0c979dd5d221807c086cb7a4eb912055d8318 http://git.typo3.org/TYPO3v4/CoreProjects/MVC/extbase.git/commitdiff/68a2f3d653d77d8ed9a283e30f07e6f718c18f19 I'm attaching the file 10-SecBull-TYPO3-CORE-SA-2013-001.patch that is ready to drop on debian/patches that is the result of applying, in order, the above commits: * 76f0c979dd5d221807c086cb7a4eb912055d8318 * 68a2f3d653d77d8ed9a283e30f07e6f718c18f19 * d00f4b6523507db3c4c7601cf7758333c8290c1d For the another issue of the security bulletin (open redirection issue), the relevant commit seems to be http://git.typo3.org/TYPO3v4/Core.git/commit/71135d82ccb74b3ccf8673ce197cd8c4340d5163 but I don't have a backport of it to squeeze. Typo3 at squeeze-backports and wheezy is also affected. Regards!
--- a/typo3/sysext/extbase/Classes/Persistence/Storage/Typo3DbBackend.php
+++ b/typo3/sysext/extbase/Classes/Persistence/Storage/Typo3DbBackend.php
@@ -494,18 +494,17 @@
$typeOfRelation = $columnMap->getTypeOfRelation();
if ($typeOfRelation === Tx_Extbase_Persistence_Mapper_ColumnMap::RELATION_HAS_AND_BELONGS_TO_MANY) {
$relationTableName = $columnMap->getRelationTableName();
- $sql['where'][] = $tableName . '.uid IN (SELECT ' . $columnMap->getParentKeyFieldName() . ' FROM ' . $relationTableName . ' WHERE ' . $columnMap->getChildKeyFieldName() . '=' . $this->getPlainValue($operand2) . ')';
+ $sql['where'][] = $tableName . '.uid IN (SELECT ' . $columnMap->getParentKeyFieldName() . ' FROM ' . $relationTableName . ' WHERE ' . $columnMap->getChildKeyFieldName() . '=?)';
+ $parameters[] = intval($this->getPlainValue($operand2));
} elseif ($typeOfRelation === Tx_Extbase_Persistence_Mapper_ColumnMap::RELATION_HAS_MANY) {
$parentKeyFieldName = $columnMap->getParentKeyFieldName();
if (isset($parentKeyFieldName)) {
- $columnName = $this->dataMapper->convertPropertyNameToColumnName($operand1->getPropertyName(), $source->getNodeTypeName());
$childTableName = $columnMap->getChildTableName();
- $sql['where'][] = $tableName . '.uid=(SELECT ' . $childTableName . '.' . $parentKeyFieldName . ' FROM ' . $childTableName . ' WHERE ' . $childTableName . '.uid=' . $this->getPlainValue($operand2) . ')';
+ $sql['where'][] = $tableName . '.uid=(SELECT ' . $childTableName . '.' . $parentKeyFieldName . ' FROM ' . $childTableName . ' WHERE ' . $childTableName . '.uid=?)';
+ $parameters[] = intval($this->getPlainValue($operand2));
} else {
- $statement = '(' . $tableName . '.' . $operand1->getPropertyName() . ' LIKE \'%,' . $this->getPlainValue($operand2) . ',%\'';
- $statement .= ' OR ' . $tableName . '.' . $operand1->getPropertyName() . ' LIKE \'%,' . $this->getPlainValue($operand2) . '\'';
- $statement .= ' OR ' . $tableName . '.' . $operand1->getPropertyName() . ' LIKE \'' . $this->getPlainValue($operand2) . ',%\')';
- $sql['where'][] = $statement;
+ $sql['where'][] = 'FIND_IN_SET(?,' . $tableName . '.' . $columnName . ')';
+ $parameters[] = intval($this->getPlainValue($operand2));
}
} else {
throw new Tx_Extbase_Persistence_Exception_RepositoryException('Unsupported relation for contains().', 1267832524);
@@ -830,9 +829,9 @@
*/
protected function parseLimitAndOffset($limit, $offset, array &$sql) {
if ($limit !== NULL && $offset !== NULL) {
- $sql['limit'] = $offset . ', ' . $limit;
+ $sql['limit'] = intval($offset) . ', ' . intval($limit);
} elseif ($limit !== NULL) {
- $sql['limit'] = $limit;
+ $sql['limit'] = intval($limit);
}
}
signature.asc
Description: OpenPGP digital signature
